W3C home > Mailing lists > Public > public-identity@w3.org > November 2011

Re: Last call for public comments on Web Crypto charter

From: Mark Watson <watsonm@netflix.com>
Date: Sat, 19 Nov 2011 19:29:28 +0000
To: Harry Halpin <hhalpin@w3.org>, "public-identity@w3.org" <public-identity@w3.org>
Message-ID: <AE047CFC-932E-433E-BDA6-7221390BC3F3@netflix.com>
Harry,

I'm sorry these comments are coming rather late.

We share some of the concerns that have been expressed about the scope of the charter focussing on solutions rather than on the problem. The specific technology solutions should be driven by use-cases and identifying these should be the first task of the group (unless we want to do that now, and have scope be "support these use-cases").

I think that in essence what we are trying to achieve is to enable Web Application Developers to create secure application protocols. I took a stab at re-casting the first three paragraphs of the scope in this way. I think that the intention of the existing text is maintained, but at this different level. I also think we should be explicit about the need for use-cases and give the group a mandate to exclude use-cases based on schedule risk (the reason for trying in advance to exclude one technology area or another was only to have a task that could be finished on time. But commonly there is churn in the mapping of features to releases based on actually meeting the schedule, so why not just be explicit about that).

Regarding the features currently mentioned, I think we should explicitly add a mention of pre-provisioned keys, as we have discussed at the meeting. I'm also not sure what it meant by excluding "multi-key collections" - as soon as you want to generate temporary session keys from long-lived keying material you have more than one key for an origin.

So I propose replacing paragraphs 2-4 of the scope with:

"The Web Cryptography API will provide Web Application developers with the primitives needed to implement secure application protocols, including message confidentiality and authentication services, based on secure storage of private keying material below the JS API. Features to be supported shall be derived from concrete use-cases - the definition of which shall form the initial part of the group's work - but shall include at least support of public key and symmetric cryptography, key generation, key agreement and use of pre-provisioned keys.

Capabilities related to identity, meaning ways to securely associate secret keying material with users or services, shall be out of scope.

In identifying use-cases, the group shall consider the primary objective of meeting the schedule outlined below and may therefore exclude use-cases requiring capabilities expected to cause excessive schedule risk. As guidance it is expected that access control beyond the same-origin policy, management and validation of certificates and device-specific access to keying material."

I am not sure what the "device-specific access to keying material" means, though ?

We will happily provide a detailed use-case involving securing communication between Javascript application and server in a way that is bound to a pre-provisioned key.

...Mark


On Nov 17, 2011, at 7:17 AM, Harry Halpin wrote:

Everyone,

On next Tuesday, as said earlier, I plan to take the Web Cryptography
charter [1] from the wiki and put it into HTML as an "official draft
charter" then ask for preliminary feedback from the AC, before going to
real AC review in December (thus launching Working Group in January).

So, if you have any comments, *now* is the time to send to the mailing
list. Suggested text replacement is most welcome.

     cheers,
        harry

[1] http://www.w3.org/wiki/IdentityCharter
Received on Saturday, 19 November 2011 19:29:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 19 November 2011 19:30:00 GMT